What is blocked in 2.2.9?

ilkeraktuna · October 8, 2021, 11:11am

Hi,

Can somebody explain what is meant by :

Note: This release includes enhanced security measures that disable insecure access to the hub from outside local network using port forwarding or similar means. No IOT device is meant to be accessed publicly, and our hub is no exception. Use Hubitat Remote Admin, a private VPN, or other secure means of access instead.

I mean, when port forwarding is used, actually an internal IP is accessing the Hub on behalf of the external user.
So if you do not block access to port 443 , you can not block port forwarding.
So what's new with this block ?

ritchierich · October 8, 2021, 11:13am

thebearmay · October 8, 2021, 11:15am

It’s not so much the port, as it is that it is trying to be used from a public address:

gopher.ny · October 8, 2021, 11:41am

Many ISP routers (and we obviously have't tested every single one of them) simply forward requests with original IP address intact. And yeah, if the request comes from a private address space but IP has manipulated using NAT mapping or whatnot, hub will not know that. But we have to assume that people who can set up their home networks in this manner know better than exposing their local IOT device to the world without additional security in place.

ilkeraktuna · October 9, 2021, 7:11am

Ok. but my port forwarding rule (on router) does actually inbound source nat.
So when an external IP accesses the port forwarding rule, it actually uses the router's internal IP (192.168.1.1)
So basically 192.168.1.1 accesses the hub (192.168.1.10)
this is a total local access.
How can Hubitat block this ?

Also, how can I use the /hub/allowSubnets? endpoint ?
is there a way to see what IP subnets are already allowed ?

gopher.ny · October 9, 2021, 9:43am

The hub looks at the source IP of the incoming connection, so it shouldn't block anything in the scenario above.

By default, all private address space subnets are.

ilkeraktuna · October 9, 2021, 11:47am

ok. if I need to add a statik IP address to that , how can I use the endpoint ?
just send a GET request to:
http://HUB_IP/hub/allowSubnets?a.b.c.d

?
what about if I want to delete it afterwards ?

gopher.ny · October 9, 2021, 12:28pm

It's a full replace whenever you run the endpoint, so http://HUB_IP/hub/allowSubnets? (without query string) will reset it.